CefAddCrossOriginWhitelistEntry Method |
Add an entry to the cross-origin whitelist.
Namespace: CefSharp
Assembly: CefSharp.Core (in CefSharp.Core.dll) Version: 90.6.50.0
Syntaxpublic static bool AddCrossOriginWhitelistEntry( string sourceOrigin, string targetProtocol, string targetDomain, bool allowTargetSubdomains )
Parameters
- sourceOrigin
- Type: SystemString
The origin allowed to be accessed by the target protocol/domain. - targetProtocol
- Type: SystemString
The target protocol allowed to access the source origin. - targetDomain
- Type: SystemString
The optional target domain allowed to access the source origin. - allowTargetSubdomains
- Type: SystemBoolean
If set to true would allow a blah.example.com if the targetDomain was set to example.com
Return Value
Type: BooleanReturns false if is invalid or the whitelist cannot be accessed.
Remarks
The same-origin policy restricts how scripts hosted from different origins
(scheme + domain + port) can communicate. By default, scripts can only access
resources with the same origin. Scripts hosted on the HTTP and HTTPS schemes
(but no other schemes) can use the "Access-Control-Allow-Origin" header to
allow cross-origin requests. For example, https://source.example.com can make
XMLHttpRequest requests on http://target.example.com if the
http://target.example.com request returns an "Access-Control-Allow-Origin:
https://source.example.com" response header.
Scripts in separate frames or iframes and hosted from the same protocol and
domain suffix can execute cross-origin JavaScript if both pages set the
document.domain value to the same domain suffix. For example,
scheme://foo.example.com and scheme://bar.example.com can communicate using
JavaScript if both domains set document.domain="example.com".
This method is used to allow access to origins that would otherwise violate
the same-origin policy. Scripts hosted underneath the fully qualified
sourceOrigin URL (like http://www.example.com) will be allowed access to
all resources hosted on the specified targetProtocol and targetDomain.
If targetDomain is non-empty and allowTargetSubdomains if false only
exact domain matches will be allowed. If targetDomain contains a top-
level domain component (like "example.com") and allowTargetSubdomains is
true sub-domain matches will be allowed. If targetDomain is empty and
allowTargetSubdomains if true all domains and IP addresses will be
allowed.
This method cannot be used to bypass the restrictions on local or display
isolated schemes. See the comments on CefCustomScheme for more
information.
This function may be called on any thread. Returns false if sourceOrigin
is invalid or the whitelist cannot be accessed.
See Also